Fork me on GitHub

Using Kerberos implies that your client's browser must be configured properly!

Depending upon which browser your clients use, you have to set up the Kerberos configuration in a different way. Please note that without a proper configured browser, the Kerberos token is not sent to the server and so SSO will not work!

Internet Explorer

The URL http://webserver.test.ad must be added to Internet options > Security > Local intranet. You can deploy this setting by using a group policy for the node Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List. Each of your SSO-enabled sites has to be in the Intranet zone (value = 1). You can use wildcards like "https://*.test.ad".

After you have configured the setting, it should look like this:



Please note, that enforcing a GPO for Site to Zone Assignment List does no longer allow your users to edit the setting on their own! There are two options:

  1. Collect each custom configuration and assemble the complete list. In most cases you can use a wildcard on your internal domain like https://.test.ad* and http://.test.ad* to include all internal sites.
  2. Configure a custom assignment list by using a logon script or something like OpsCode Chef or Microsoft's Desired State Configuration.

The first option should be the way to go.

Check the other security settings

Please make sure that there your SSO-enabled domain is only entered in the Local intranet zone and nowhere else! If you have falsely entered the same domain in Trusted sites and Local intranet, the first one is used an no Kerberos token is sent by Internet Explorer to the webserver.

Chrome

In order to use Chrome for SSO you also must deploy the settings shown in the Internet Explorer configuration above.

Newer versions of Chrome do automatically detect the Kerberos negotiation and transmit your token. In case you are using an outdated version of Chrome we highly suggest to update it for security reasons.

If an update is not possible at all, Chrome must be started with the parameter

--auth-server-whitelist="*.test.ad" 

like

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --auth-server-whitelist="*.test.ad

This setting can be automatically deployed by using group policies.

  1. Download the official group policies for Chrome
  2. Follow the installation procedure and open the chrome.admx
  3. Configure a policy for the option AuthServerWhitelist
  4. Deploy the policy

Firefox

In Firefox you have to go to the about:config page and set the parameters

network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris

to http://webserver.test.ad.

The deployment of these settings can be done by using GPO for Firefox. This is a plug-in for Firefox which itself has to be automatically deployed and/or bundled with your NETLOGON script.